cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
240
Views
0
Helpful
1
Replies

ASA State Tracking and Convergence

MikeO5422
Level 1
Level 1

Hello, quick question. Let's say you have a standalone ASA in the your data path, it is currently passing a number of previously initiated TCP sessions. Then, there is a network failure that causes traffic to transition to a different standalone ASA in the data path with the same ruleset. The new ASA now observes a number of uninitiated active TCP sessions. Do those sessions get blocked because the ASA never saw them setup or do they pass through? If they get blocked, can this be prevented? Is there anything you can do to help, like have the ASA issue a TCP reset for example? Thanks!

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

In your scenario, the packets going to ASA2 will be dropped as by default as the first packet will be a SYN packet. Under ASP drop, you should see this as "First TCP packet not SYN (tcp-not-syn)".

Now an easy way to get past this is to have TCP state bypass running on ASA2. This essentially establishes the connection on the new ASA even if it is not a SYN packet and allows the traffic through. More info on how this works is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html#anc9

Review Cisco Networking for a $25 gift card